CVE-2009-1306

Name of the Vulnerable Software and Affected Versions Mozilla Firefox versions prior to 3.0.9 Thunderbird (affected versions not specified) SeaMonkey (affected versions not specified)

Description The issue concerns the jar: URI implementation, which fails to follow the Content-Disposition header of the inner URI. This allows remote attackers to conduct cross-site scripting (XSS) attacks and possibly other attacks via an uploaded .jar file with a "Content-Disposition: attachment" designation.

Recommendations For Mozilla Firefox versions prior to 3.0.9, update to version 3.0.9 or later. For Thunderbird, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For SeaMonkey, at the moment, there is no information about a newer version that contains a fix for this vulnerability.